All the vulnerabilites related to osquery - osquery
cve-2020-26273
Vulnerability from cvelistv5
Published
2020-12-16 01:20
Modified
2024-08-04 15:56
Severity ?
EPSS score ?
Summary
osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite's ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:56:04.061Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/osquery/osquery/releases/tag/4.6.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "osquery",
"vendor": "osquery",
"versions": [
{
"status": "affected",
"version": "\u003c 4.6.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite\u0027s ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-16T01:20:19",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/osquery/osquery/releases/tag/4.6.0"
}
],
"source": {
"advisory": "GHSA-4g56-2482-x7q8",
"discovery": "UNKNOWN"
},
"title": "sqlite ATTACH allows some filesystem access",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-26273",
"STATE": "PUBLIC",
"TITLE": "sqlite ATTACH allows some filesystem access"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "osquery",
"version": {
"version_data": [
{
"version_value": "\u003c 4.6.0"
}
]
}
}
]
},
"vendor_name": "osquery"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework. In osquery before version 4.6.0, by using sqlite\u0027s ATTACH verb, someone with administrative access to osquery can cause reads and writes to arbitrary sqlite databases on disk. This _does_ allow arbitrary files to be created, but they will be sqlite databases. It does not appear to allow existing non-sqlite files to be overwritten. This has been patched in osquery 4.6.0. There are several mitigating factors and possible workarounds. In some deployments, the people with access to these interfaces may be considered administrators. In some deployments, configuration is managed by a central tool. This tool can filter for the `ATTACH` keyword. osquery can be run as non-root user. Because this also limits the desired access levels, this requires deployment specific testing and configuration."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8",
"refsource": "CONFIRM",
"url": "https://github.com/osquery/osquery/security/advisories/GHSA-4g56-2482-x7q8"
},
{
"name": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension",
"refsource": "MISC",
"url": "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#remote-command-execution-using-sqlite-command---load_extension"
},
{
"name": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c",
"refsource": "MISC",
"url": "https://github.com/osquery/osquery/commit/c3f9a3dae22d43ed3b4f6a403cbf89da4cba7c3c"
},
{
"name": "https://github.com/osquery/osquery/releases/tag/4.6.0",
"refsource": "MISC",
"url": "https://github.com/osquery/osquery/releases/tag/4.6.0"
}
]
},
"source": {
"advisory": "GHSA-4g56-2482-x7q8",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-26273",
"datePublished": "2020-12-16T01:20:19",
"dateReserved": "2020-10-01T00:00:00",
"dateUpdated": "2024-08-04T15:56:04.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-11081
Vulnerability from cvelistv5
Published
2020-07-10 18:45
Modified
2024-08-04 11:21
Severity ?
EPSS score ?
Summary
osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm | x_refsource_CONFIRM | |
| https://github.com/osquery/osquery/issues/6426 | x_refsource_MISC | |
| https://github.com/osquery/osquery/pull/6433 | x_refsource_MISC | |
| https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5 | x_refsource_MISC | |
| https://github.com/osquery/osquery/releases/tag/4.4.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:21:14.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/osquery/osquery/issues/6426"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/osquery/osquery/pull/6433"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/osquery/osquery/releases/tag/4.4.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "osquery",
"vendor": "osquery",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-114",
"description": "CWE-114: Process Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-17T16:52:34",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/osquery/osquery/issues/6426"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/osquery/osquery/pull/6433"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/osquery/osquery/releases/tag/4.4.0"
}
],
"source": {
"advisory": "GHSA-2xwp-8fv7-c5pm",
"discovery": "UNKNOWN"
},
"title": "osquery susceptible to DLL search order hijacking of zlib1.dll",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-11081",
"STATE": "PUBLIC",
"TITLE": "osquery susceptible to DLL search order hijacking of zlib1.dll"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "osquery",
"version": {
"version_data": [
{
"version_value": "\u003c 4.4.0"
}
]
}
}
]
},
"vendor_name": "osquery"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-114: Process Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm",
"refsource": "CONFIRM",
"url": "https://github.com/osquery/osquery/security/advisories/GHSA-2xwp-8fv7-c5pm"
},
{
"name": "https://github.com/osquery/osquery/issues/6426",
"refsource": "MISC",
"url": "https://github.com/osquery/osquery/issues/6426"
},
{
"name": "https://github.com/osquery/osquery/pull/6433",
"refsource": "MISC",
"url": "https://github.com/osquery/osquery/pull/6433"
},
{
"name": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5",
"refsource": "MISC",
"url": "https://github.com/osquery/osquery/commit/4d4957f12a6aa0becc9d01d9f97061e1e3d809c5"
},
{
"name": "https://github.com/osquery/osquery/releases/tag/4.4.0",
"refsource": "MISC",
"url": "https://github.com/osquery/osquery/releases/tag/4.4.0"
}
]
},
"source": {
"advisory": "GHSA-2xwp-8fv7-c5pm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-11081",
"datePublished": "2020-07-10T18:45:16",
"dateReserved": "2020-03-30T00:00:00",
"dateUpdated": "2024-08-04T11:21:14.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}